Departmental Regulations

To safeguard the efficient functioning of our banking system as well as the security of the personal and other data held by banks and financial services companies, it is vital that robust cyber security measures are implemented by the entities concerned.

The European Union Directive 2016/1148 concerning measures for a high common level of security of network and information systems, the NIS Directive, established a regulatory framework to safeguard Operators of Essential Services in specific sectors of Critical National Infrastructure, including banking and financial market infrastructures. The NIS Directive was published in the Official Journal of the EU in July 2016 and was transposed into Irish law on the 18th of September 2018 by way of Statutory Instrument No. 360 of 2018 (hereafter “the 2018 Regulations”).

The 2018 Regulations place a number of significant responsibilities on the State and on critical infrastructure in respect of cyber security. These responsibilities are wide ranging, but, inter alia, require the State to identify Operators of Essential Services (OES) in specific sectors of Critical National Infrastructure. These OES are required to take appropriate and proportionate technical and organisational measures to manage security risks to their network and information systems; to take steps to prevent and minimise the impact of any incident that affects the security of their network and information systems to ensure the continuity of the services they provide; and to report serious incidents to the National Competent Authority and the national Computer Security Incident Response Team (CSIRT), and to comply with instructions of these authorities in this regard.

The Directive obliged the State to designate National Competent Authorities (NCA) in respect of the security of network and information systems. These entities ensure that the implementation of the Directive is monitored on an ongoing basis within the State and formalise channels of communication both with the relevant authorities of other Member States and with An Garda Síochána and the Office of the Data Protection Commissioner. Regulation 7(2) of the 2018 Regulations designates the Central Bank of Ireland as the NCA in respect of operators of essential services in the Banking and Financial Market Infrastructures sectors. I am designated as the NCA for the other five sectors within scope of the NIS Directive, and Ireland’s CSIRT is in the National Cyber Security Centre.

In the years since 2018, the global cyber threat landscape has deteriorated and many significant cyber security incidents have occurred, including the ransomware incident which impacted the HSE’s systems in May 2021. The European Union and its Member States, recognising the need for an enhanced regulatory framework, initiated at the end of 2020 a review of the NIS Directive and a revised NIS Directive, “NIS2”, was published in the Official Journal of the European Union as Directive (EU) 2022/2555 on 27 December 2022. NIS 2 will bring a broad expansion of the scope of the Directive as well as a strengthened supervisory and enforcement regime for existing sectors, underpinned by a set of sanctions and fines. The transposition and implementation of the NIS2 Directive will enhance further the resilience of Ireland’s banking and financial services sector to cyber security incidents, and officials in my Department are in ongoing contact with colleagues in the Department of Finance and the Central Bank of Ireland.

The prevention and investigation of financial and other fraud offences is a matter for An Garda Síochána. The National Cyber Security Centre has partnered with An Garda Síochána to develop and publish advice and guidance to help citizens and businesses identify fraudulent communications such as so called phishing and smishing messages, and to implement appropriate cyber security measures.